Bug 1063866

Summary: Patch for CVE-2013-6393 introduces regression
Product: [Fedora] Fedora Reporter: John Eckersberg <jeckersb>
Component: libyamlAssignee: John Eckersberg <jeckersb>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 20CC: jeckersb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libyaml-0.1.5-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-22 18:10:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Eckersberg 2014-02-11 14:58:16 UTC 
Original report from Debian:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738587

===
The patch libyaml-indent-column-overflow-v2.patch applied for the
update to address CVE-2013-6393 introduces a regression which can be
seen when parsing a small YAML sample file with the tests/run-parser.c
utility:

----cut---------cut---------cut---------cut---------cut---------cut-----
%YAML 1.1
--- # Indented Block
  name: John Smith
  age: 33
--- # Inline Block
{name: John Smith, age: 33}
----cut---------cut---------cut---------cut---------cut---------cut-----

Compiling run-parser.c in the source and run against this YAML file
leads with the patch applied to:

# ./run-parser ./regression.yaml 
[1] Parsing './regression.yaml': FAILURE (9 events)

Upstream indeed has addressed this part slightly different, with [1]
and [2].

 [1] https://bitbucket.org/xi/libyaml/commits/f859ed1eb757a3562b98a28a8ce69274bfd4b3f2
 [2] https://bitbucket.org/xi/libyaml/commits/af3599437a87162554787c52d8b16eab553f537b
===
Comment 1 Fedora Update System 2014-02-11 15:30:57 UTC 
libyaml-0.1.5-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/libyaml-0.1.5-1.fc19
Comment 2 Fedora Update System 2014-02-11 15:33:38 UTC 
libyaml-0.1.5-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/libyaml-0.1.5-1.fc20
Comment 3 Fedora Update System 2014-02-12 14:38:31 UTC 
Package libyaml-0.1.5-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libyaml-0.1.5-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2348/libyaml-0.1.5-1.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-02-22 18:10:16 UTC 
libyaml-0.1.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-02-22 18:17:40 UTC 
libyaml-0.1.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.